Hi Matt,
Thank you for the response. I have attached the certificates details. My
apology I am not supposed to share the certificates. We are not using
X509_VERIFY_PARAM_xxx
API's. We are using 4 certificates with the device.
1. Root CA- Baltimore CyberTrust Root
2. Intermediate CA-1 - Microsoft
Could it be because your CA-2 has the following: Extended Key Usage - Client
Authentication, Server Authentication?
Some fields that in general only apply to end certificates, e.g. name
constraints, when used in a CA certificate, are interpreted as constraints on
the certificates that can be
Probably not, that constraint is satisfied since this is SSL/TLS and the
end cert has that same EKU.
On 16/11/2015 22:37, E T wrote:
Could it be because your CA-2 has the following: Extended Key Usage
- Client Authentication, Server Authentication?
Some fields that in general only apply to
At most one of CA-1 and CA-2 would be part of the chain from Baltimore
to the end cert.
However your end cert (apparently for hosted Sharepoint services) was
issued by a 3rd MSIT CA that was not provided. If it wasn't provided to
the code either, the chain would not validate for that reason
On 16/11/15 06:52, Jayalakshmi bhat wrote:
> Hi Victor,
>
> Thanks a lot for details explanation.
>
> Our device acts as TLS/SSL client. The device receives chain of
> certificates as part of SSL handshake, when it is trying to get
> connected to TLS/SSL server like sharepoint 365.
>
>
Hi All,
In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a
check * if (params->trust >0)* before invoking check_trust function.
This has been removed in OpenSSL 1.0.2d. Does it mean applications are
expected to set the X509_VERIFY_PARAM properly?
Our application works
On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote:
> In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a
> check * if (params->trust >0)* before invoking check_trust function.
The OpenSSL source code is available via git:
Hi Viktor,
Thank you for the response.
This is the code snippet from OpenSSL 1.0.2d.
int X509_verify_cert(X509_STORE_CTX *ctx) {
/* we now have our chain, lets check it... */
i =
> On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat
> wrote:
>
> This is code snippet from OpenSSL 1.0.1c
>
> int X509_verify_cert(X509_STORE_CTX *ctx) {
>
>
>
>
> /* The chain
Hi Victor,
Thanks a lot for details explanation.
Our device acts as TLS/SSL client. The device receives chain of
certificates as part of SSL handshake, when it is trying to get connected
to TLS/SSL server like sharepoint 365.
While validating the certificate chain from server, "*check_trust"
On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote:
> > You should probably explain what you're doing, and in what way OpenSSL 1.0.2
> > (all upstream versions) is not working the way you expect.
On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:
> Our device acts as
Hi Victor,
First thing kindly note that I am talking about *OpenSSL-1.0.1c* not about
OpenSSL 1.0.2c.
So far we were using *OpenSSL-1.0.1c* and server validation was working
fine. Recently we upgraded the OpenSSL library to *OpenSSL-1.0.2d. *
Also we have not done any modification to the SSL
12 matches
Mail list logo